SEGV Zend/zend_builtin_functions.c

[YuanchengJiang]

Description

The following code:

<?php
function foo($i) {
static $a = $i <= 10 ? foo($fusion + 1) : "Done $i";
}
foo(0);

Resulted in this output:

/home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_builtin_functions.c:1927:9: runtime error: member access within null pointer of type 'const zend_op' (aka 'const struct _zend_op')
    #0 0x48b4c44 in zend_fetch_debug_backtrace /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_builtin_functions.c:1927:9
    #1 0x58beedd in zend_error_zstr_at /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend.c:1495:3
    #2 0x58c5e31 in zend_error_va_list /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend.c:1606:2
    #3 0x58c6b61 in zend_error_noreturn /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend.c:1714:2
    #4 0x4745cf6 in zend_mm_safe_error /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_alloc.c:423:3
    #5 0x4743744 in zend_mm_alloc_pages /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_alloc.c:1059:7
    #6 0x47482fe in zend_mm_alloc_large_ex /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_alloc.c:1137:14
    #7 0x473fa3a in zend_mm_alloc_large /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_alloc.c:1154:9
    #8 0x472aa89 in zend_mm_alloc_heap /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_alloc.c:1509:9
    #9 0x473142a in _emalloc /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_alloc.c:2764:9
    #10 0x4b065e1 in zend_vm_stack_new_page /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_execute.h:320:38
    #11 0x4b080db in zend_vm_stack_extend /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_execute.c:228:25
    #12 0x4b1aad6 in zend_vm_stack_push_call_frame_ex /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_execute.h:344:30
    #13 0x4e1d915 in ZEND_INIT_FCALL_SPEC_CONST_HANDLER /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_vm_execute.h:4129:9
    #14 0x4b553c3 in execute_ex /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_vm_execute.h:58696:12
    #15 0x4b5794c in zend_execute /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_vm_execute.h:64385:2
    #16 0x58cc529 in zend_execute_script /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend.c:1943:3
    #17 0x40c0dba in php_execute_script_ex /home/phpfuzz/WorkSpace/flowfusion/php-src/main/main.c:2594:13
    #18 0x40c1ef8 in php_execute_script /home/phpfuzz/WorkSpace/flowfusion/php-src/main/main.c:2634:9
    #19 0x58e143a in do_cli /home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php_cli.c:952:5
    #20 0x58db81f in main /home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php_cli.c:1363:18
    #21 0x7795c1381d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #22 0x7795c1381e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #23 0x606194 in _start (/home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php+0x606194)

SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_builtin_functions.c:1927:9 in 

To reproduce:

./php-src/sapi/cli/php  -d "zend_extension=/home/phpfuzz/WorkSpace/flowfusion/php-src/modules/opcache.so" -d "opcache.enable_cli=1" -d "opcache.jit=1254" ./test.php

Commit:

7361a1206d28810800d9ecf191d11b08dce7d03f

Configurations:

CC="clang-12" CXX="clang++-12" CFLAGS="-DZEND_VERIFY_TYPE_INFERENCE" CXXFLAGS="-DZEND_VERIFY_TYPE_INFERENCE" ./configure --enable-debug --enable-address-sanitizer --enable-undefined-sanitizer --enable-re2c-cgoto --enable-fpm --enable-litespeed --enable-phpdbg-debug --enable-zts --enable-bcmath --enable-calendar --enable-dba --enable-dl-test --enable-exif --enable-ftp --enable-gd --enable-gd-jis-conv --enable-mbstring --enable-pcntl --enable-shmop --enable-soap --enable-sockets --enable-sysvmsg --enable-zend-test --with-zlib --with-bz2 --with-curl --with-enchant --with-gettext --with-gmp --with-mhash --with-ldap --with-libedit --with-readline --with-snmp --with-sodium --with-xsl --with-zip --with-mysqli --with-pdo-mysql --with-pdo-pgsql --with-pgsql --with-sqlite3 --with-pdo-sqlite --with-webp --with-jpeg --with-freetype --enable-sigchild --with-readline --with-pcre-jit --with-iconv

Operating System:

Ubuntu 20.04 Host, Docker 0599jiangyc/flowfusion:latest

This report is automatically generated by FlowFusion

PHP Version

7361a1206d28810800d9ecf191d11b08dce7d03f

Operating System

No response

[iluuu1994]

@devnexen Were you able to verify this one? Did you use any special flags? The reproducer doesn't work for me.

[devnexen]

Nothing special, did you use gcc or clang though ?

[iluuu1994]

I tried GCC, let me try Clang.

[iluuu1994]

Still nothing. Does it fail for you immediately or do you keep it running for a while?

[devnexen]

Not immediatly like 15/20 seconds later (see its configure part if that helps). Note that I use clang 19 but a bit lower should be fine normally.

[devnexen]

just reproduced again

[iluuu1994]

Okay. Doesn't seem to work for me. I don't know why, but I'll leave this up to somebody else then. 🙂 Thanks!